imageIf you are planning or have already deployed ForeFront Endpoint Protection, this may interest you.

As you know FPE is designed to be managed throught System Center Configuration Manager BUT… you may not have SCCM deployed or need more granularity.

Microsoft has released tools to manage FPE with GPO.

The first you need to download and deploy is the AMDX file. This file is available from (fep2010grouppolicytools-en-us.exe)

This download includes the ADMX and ADML file required to update the administrative template for GPO and a tool to manage (import/export) settings for FPE.

Once you have deployed ADMX file (on %systemroot%\Policy Definition directory for the ADMX file and %systemroot%\Policy Definition\EN-US for the ADML file), GPO settings for FPE will be available throught

Computer Configuration\Policies\Administrative Templates\System\ForeFront Endpoint Protection.


To help you defining GPO settings based on your server role, Microsoft has also released sample definition files for various server role (Exchange, SharePoint, DHCP, DNS, domain controllers….) (fepserverrolepoliciesforusewithgpo.exe)

Thanks to the tool includes on the first download (which contains ADMX file) you are able to import these sample definition onto your FPE GPO.


Sample definition contains are based on default settings for each server role; such as default path for mailbox for Exchange server.

This is anyway a good start for configuring FPE, especially exclusion, as you won’t forget any specific exclusion needed for your server role.

With this tool, you have to define your domain, the destination GPO and select the sample GPO setting files from the fepserverrolepoliciesforusewithgpo.exe file based on your server role. Then you have to update the settings based on your specific configuration. Be careful exclusions (path, file or process) are defined BUT not enabled.

The last interesting point is you have access to a deeper configuration with GPO than with the FPE UI; such as some engine or update settings.